draft-ietf-i2nsf-capability-data-model-20.txt   draft-ietf-i2nsf-capability-data-model-21.txt 
I2NSF Working Group S. Hares, Ed. I2NSF Working Group S. Hares, Ed.
Internet-Draft Huawei Internet-Draft Huawei
Intended status: Standards Track J. Jeong, Ed. Intended status: Standards Track J. Jeong, Ed.
Expires: 7 April 2022 J. Kim Expires: 17 May 2022 J. Kim
Sungkyunkwan University Sungkyunkwan University
R. Moskowitz R. Moskowitz
HTT Consulting HTT Consulting
Q. Lin Q. Lin
Huawei Huawei
4 October 2021 13 November 2021
I2NSF Capability YANG Data Model I2NSF Capability YANG Data Model
draft-ietf-i2nsf-capability-data-model-20 draft-ietf-i2nsf-capability-data-model-21
Abstract Abstract
This document defines an information model and the corresponding YANG This document defines an information model and the corresponding YANG
data model for the capabilities of various Network Security Functions data model for the capabilities of various Network Security Functions
(NSFs) in the Interface to Network Security Functions (I2NSF) (NSFs) in the Interface to Network Security Functions (I2NSF)
framework to centrally manage the capabilities of the various NSFs. framework to centrally manage the capabilities of the various NSFs.
Status of This Memo Status of This Memo
skipping to change at page 1, line 39 skipping to change at page 1, line 39
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 7 April 2022. This Internet-Draft will expire on 17 May 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 32 skipping to change at page 3, line 32
Security Capabilities describe the functions that Network Security Security Capabilities describe the functions that Network Security
Functions (NSFs) can provide for security policy enforcement. Functions (NSFs) can provide for security policy enforcement.
Security Capabilities are independent of the actual security policy Security Capabilities are independent of the actual security policy
that will implement the functionality of the NSF. that will implement the functionality of the NSF.
Every NSF SHOULD be described with the set of capabilities it offers. Every NSF SHOULD be described with the set of capabilities it offers.
Security Capabilities enable security functionality to be described Security Capabilities enable security functionality to be described
in a vendor-neutral manner. Security Capabilities are a market in a vendor-neutral manner. Security Capabilities are a market
enabler, providing a way to define customized security protection by enabler, providing a way to define customized security protection by
unambiguously describing the security features offered by a given unambiguously describing the security features offered by a given
NSF. Note that this YANG data model constructs the structure of the NSF. Note that this YANG data model forms the basis of the NSF
NSF Monitoring Interface YANG data model Monitoring Interface YANG data model
[I-D.ietf-i2nsf-nsf-monitoring-data-model] and the NSF-Facing [I-D.ietf-i2nsf-nsf-monitoring-data-model] and the NSF-Facing
Interface YANG Data Model [I-D.ietf-i2nsf-nsf-facing-interface-dm]. Interface YANG data model [I-D.ietf-i2nsf-nsf-facing-interface-dm].
This document provides an information model and the corresponding This document provides an information model and the corresponding
YANG data model [RFC6020][RFC7950] that defines the capabilities of YANG data model [RFC6020][RFC7950] that defines the capabilities of
NSFs to centrally manage the capabilities of those NSFs. The NSFs NSFs to centrally manage the capabilities of those NSFs. The NSFs
can register their own capabilities into a Network Operator can register their own capabilities into a Network Operator
Management (Mgmt) System (i.e., Security Controller) with this YANG Management (Mgmt) System (i.e., Security Controller) with this YANG
data model through the registration interface [RFC8329]. With the data model through the registration interface [RFC8329]. With the
database of the capabilities of those NSFs that are maintained database of the capabilities of those NSFs that are maintained
centrally, those NSFs can be more easily managed [RFC8329]. centrally, those NSFs can be more easily managed [RFC8329].
skipping to change at page 16, line 20 skipping to change at page 16, line 20
* [RFC1939] * [RFC1939]
* [RFC2474] * [RFC2474]
* [RFC2818] * [RFC2818]
* [RFC3168] * [RFC3168]
* [RFC3261] * [RFC3261]
* [RFC3501] * [RFC9051]
* [RFC4250] * [RFC4250]
* [RFC4340] * [RFC4340]
* [RFC4443] * [RFC4443]
* [RFC4766] * [RFC4766]
* [RFC4960] * [RFC4960]
skipping to change at page 17, line 22 skipping to change at page 17, line 22
* [IANA-Protocol-Numbers] * [IANA-Protocol-Numbers]
* [I-D.ietf-tcpm-rfc793bis] * [I-D.ietf-tcpm-rfc793bis]
* [I-D.ietf-tcpm-accurate-ecn] * [I-D.ietf-tcpm-accurate-ecn]
* [I-D.ietf-tsvwg-udp-options] * [I-D.ietf-tsvwg-udp-options]
* [I-D.ietf-i2nsf-nsf-monitoring-data-model] * [I-D.ietf-i2nsf-nsf-monitoring-data-model]
<CODE BEGINS> file "ietf-i2nsf-capability@2021-10-04.yang" <CODE BEGINS> file "ietf-i2nsf-capability@2021-11-13.yang"
module ietf-i2nsf-capability { module ietf-i2nsf-capability {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability"; "urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability";
prefix prefix
nsfcap; nsfcap;
organization organization
"IETF I2NSF (Interface to Network Security Functions) "IETF I2NSF (Interface to Network Security Functions)
Working Group"; Working Group";
skipping to change at page 18, line 28 skipping to change at page 18, line 28
Relating to IETF Documents Relating to IETF Documents
(https://trustee.ietf.org/license-info). (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices."; for full legal notices.";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
revision "2021-10-04"{ revision "2021-11-13"{
description "Initial revision."; description "Initial revision.";
reference reference
"RFC XXXX: I2NSF Capability YANG Data Model"; "RFC XXXX: I2NSF Capability YANG Data Model";
// RFC Ed.: replace XXXX with an actual RFC number and remove // RFC Ed.: replace XXXX with an actual RFC number and remove
// this note. // this note.
} }
/* /*
* Identities * Identities
skipping to change at page 35, line 15 skipping to change at page 35, line 15
"The identity for Post Office Protocol 3."; "The identity for Post Office Protocol 3.";
reference reference
"RFC 1939: Post Office Protocol - Version 3 (POP3)"; "RFC 1939: Post Office Protocol - Version 3 (POP3)";
} }
identity imap { identity imap {
base application-protocol; base application-protocol;
description description
"The identity for Internet Message Access Protocol."; "The identity for Internet Message Access Protocol.";
reference reference
"RFC 3501: INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1"; "RFC 9051: Internet Message Access Protocol (IMAP) - Version 4rev2";
} }
identity action { identity action {
description description
"Base identity for action capability"; "Base identity for action capability";
} }
identity log-action { identity log-action {
base action; base action;
description description
skipping to change at page 49, line 30 skipping to change at page 49, line 30
Name: ietf-i2nsf-capability Name: ietf-i2nsf-capability
Maintained by IANA? N Maintained by IANA? N
Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability Namespace: urn:ietf:params:xml:ns:yang:ietf-i2nsf-capability
Prefix: nsfcap Prefix: nsfcap
Module: Module:
Reference: [ RFC-to-be ] Reference: [ RFC-to-be ]
8. Privacy Considerations 8. Privacy Considerations
This YANG module specifies the capabilities for NSFs. Some of the This YANG module specifies the capabilities of NSFs. These
capabilities in this document MAY require highly sensitive private capabilities are consistent with the diverse set of network security
data to operate properly. The usage of such capability MUST be functions in common use in enterprise security operations. The
reported to the users and permitted before using the private configuration of the capabilities may entail privacy sensitive
information related to the capability. Using any of the capabilities information as explicitly outlined in Section 9. The NSFs
that require private data MUST preserve the privacy by preventing any implementing these capabilities may inspect, alter or drop user
leakage or unauthorized disclosure of the private data. traffic; and be capable of attributing user traffic to individual
users.
In regards to the privacy data used, the security for accessibility Due to the sensitivity of these capabilities, notice must be provided
of the data should be tightly secured and monitored. The Security to and consent must be received from the users of the network.
Considerations are discussed in Section 9. Additionally, the collected data and associated infrastructure must
be secured to prevent the leakage or unauthorized disclosure of this
private data.
9. Security Considerations 9. Security Considerations
The YANG module specified in this document defines a data schema The YANG module specified in this document defines a data schema
designed to be accessed through network management protocols such as designed to be accessed through network management protocols such as
NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest layer of NETCONF NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest layer of NETCONF
protocol layers MUST use Secure Shell (SSH) [RFC4254][RFC6242] as a protocol layers MUST use Secure Shell (SSH) [RFC4254][RFC6242] as a
secure transport layer. The lowest layer of RESTCONF protocol layers secure transport layer. The lowest layer of RESTCONF protocol layers
MUST use HTTP over Transport Layer Security (TLS), that is, HTTPS MUST use HTTP over Transport Layer Security (TLS), that is, HTTPS
[RFC7230][RFC8446] as a secure transport layer. [RFC7230][RFC8446] as a secure transport layer.
skipping to change at page 52, line 27 skipping to change at page 52, line 27
of Explicit Congestion Notification (ECN) to IP", of Explicit Congestion Notification (ECN) to IP",
RFC 3168, DOI 10.17487/RFC3168, September 2001, RFC 3168, DOI 10.17487/RFC3168, September 2001,
<https://www.rfc-editor.org/info/rfc3168>. <https://www.rfc-editor.org/info/rfc3168>.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E. A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261, Schooler, "SIP: Session Initiation Protocol", RFC 3261,
DOI 10.17487/RFC3261, June 2002, DOI 10.17487/RFC3261, June 2002,
<https://www.rfc-editor.org/info/rfc3261>. <https://www.rfc-editor.org/info/rfc3261>.
[RFC3501] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
4rev1", RFC 3501, DOI 10.17487/RFC3501, March 2003,
<https://www.rfc-editor.org/info/rfc3501>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
[RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4250] Lehtinen, S. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Assigned Numbers", RFC 4250, Protocol Assigned Numbers", RFC 4250,
DOI 10.17487/RFC4250, January 2006, DOI 10.17487/RFC4250, January 2006,
<https://www.rfc-editor.org/info/rfc4250>. <https://www.rfc-editor.org/info/rfc4250>.
[RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH) [RFC4254] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
skipping to change at page 55, line 24 skipping to change at page 55, line 19
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., [RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525, and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019, DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>. <https://www.rfc-editor.org/info/rfc8525>.
[RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
Kumari, "A Format for Self-Published IP Geolocation
Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
<https://www.rfc-editor.org/info/rfc8805>.
[RFC9051] Melnikov, A., Ed. and B. Leiba, Ed., "Internet Message
Access Protocol (IMAP) - Version 4rev2", RFC 9051,
DOI 10.17487/RFC9051, August 2021,
<https://www.rfc-editor.org/info/rfc9051>.
[I-D.ietf-tcpm-rfc793bis] [I-D.ietf-tcpm-rfc793bis]
Eddy, W. M., "Transmission Control Protocol (TCP) Eddy, W. M., "Transmission Control Protocol (TCP)
Specification", Work in Progress, Internet-Draft, draft- Specification", Work in Progress, Internet-Draft, draft-
ietf-tcpm-rfc793bis-25, 7 September 2021, ietf-tcpm-rfc793bis-25, 7 September 2021,
<https://www.ietf.org/archive/id/draft-ietf-tcpm- <https://www.ietf.org/archive/id/draft-ietf-tcpm-
rfc793bis-25.txt>. rfc793bis-25.txt>.
[I-D.ietf-tcpm-accurate-ecn] [I-D.ietf-tcpm-accurate-ecn]
Briscoe, B., Kühlewind, M., and R. Scheffenegger, "More Briscoe, B., Kühlewind, M., and R. Scheffenegger, "More
Accurate ECN Feedback in TCP", Work in Progress, Internet- Accurate ECN Feedback in TCP", Work in Progress, Internet-
skipping to change at page 55, line 48 skipping to change at page 56, line 4
[I-D.ietf-tsvwg-udp-options] [I-D.ietf-tsvwg-udp-options]
Touch, J., "Transport Options for UDP", Work in Progress, Touch, J., "Transport Options for UDP", Work in Progress,
Internet-Draft, draft-ietf-tsvwg-udp-options-13, 19 June Internet-Draft, draft-ietf-tsvwg-udp-options-13, 19 June
2021, <https://www.ietf.org/archive/id/draft-ietf-tsvwg- 2021, <https://www.ietf.org/archive/id/draft-ietf-tsvwg-
udp-options-13.txt>. udp-options-13.txt>.
[I-D.ietf-i2nsf-nsf-monitoring-data-model] [I-D.ietf-i2nsf-nsf-monitoring-data-model]
Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H. Jeong, J. (., Lingga, P., Hares, S., Xia, L. (., and H.
Birkholz, "I2NSF NSF Monitoring Interface YANG Data Birkholz, "I2NSF NSF Monitoring Interface YANG Data
Model", Work in Progress, Internet-Draft, draft-ietf- Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-monitoring-data-model-10, 15 September 2021, i2nsf-nsf-monitoring-data-model-11, 15 October 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
monitoring-data-model-10.txt>. monitoring-data-model-11.txt>.
[I-D.ietf-i2nsf-nsf-facing-interface-dm] [I-D.ietf-i2nsf-nsf-facing-interface-dm]
Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin, Kim, J. (., Jeong, J. (., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", Work in Progress, Internet-Draft, draft-ietf- Data Model", Work in Progress, Internet-Draft, draft-ietf-
i2nsf-nsf-facing-interface-dm-14, 15 September 2021, i2nsf-nsf-facing-interface-dm-15, 4 October 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-nsf-
facing-interface-dm-14.txt>. facing-interface-dm-15.txt>.
[I-D.ietf-i2nsf-registration-interface-dm] [I-D.ietf-i2nsf-registration-interface-dm]
Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park, Hyun, S., Jeong, J. P., Roh, T., Wi, S., and J. Park,
"I2NSF Registration Interface YANG Data Model", Work in "I2NSF Registration Interface YANG Data Model", Work in
Progress, Internet-Draft, draft-ietf-i2nsf-registration- Progress, Internet-Draft, draft-ietf-i2nsf-registration-
interface-dm-12, 15 September 2021, interface-dm-13, 4 October 2021,
<https://www.ietf.org/archive/id/draft-ietf-i2nsf- <https://www.ietf.org/archive/id/draft-ietf-i2nsf-
registration-interface-dm-12.txt>. registration-interface-dm-13.txt>.
10.2. Informative References 10.2. Informative References
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818,
DOI 10.17487/RFC2818, May 2000, DOI 10.17487/RFC2818, May 2000,
<https://www.rfc-editor.org/info/rfc2818>. <https://www.rfc-editor.org/info/rfc2818>.
[RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)", [RFC6691] Borman, D., "TCP Options and Maximum Segment Size (MSS)",
RFC 6691, DOI 10.17487/RFC6691, July 2012, RFC 6691, DOI 10.17487/RFC6691, July 2012,
<https://www.rfc-editor.org/info/rfc6691>. <https://www.rfc-editor.org/info/rfc6691>.
skipping to change at page 56, line 48 skipping to change at page 57, line 5
and J. Jeong, "Interface to Network Security Functions and J. Jeong, "Interface to Network Security Functions
(I2NSF): Problem Statement and Use Cases", RFC 8192, (I2NSF): Problem Statement and Use Cases", RFC 8192,
DOI 10.17487/RFC8192, July 2017, DOI 10.17487/RFC8192, July 2017,
<https://www.rfc-editor.org/info/rfc8192>. <https://www.rfc-editor.org/info/rfc8192>.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018, Functions", RFC 8329, DOI 10.17487/RFC8329, February 2018,
<https://www.rfc-editor.org/info/rfc8329>. <https://www.rfc-editor.org/info/rfc8329>.
[RFC8805] Kline, E., Duleba, K., Szamonek, Z., Moser, S., and W.
Kumari, "A Format for Self-Published IP Geolocation
Feeds", RFC 8805, DOI 10.17487/RFC8805, August 2020,
<https://www.rfc-editor.org/info/rfc8805>.
[IANA-Protocol-Numbers] [IANA-Protocol-Numbers]
"Assigned Internet Protocol Numbers", Available: "Assigned Internet Protocol Numbers", Available:
https://www.iana.org/assignments/protocol- https://www.iana.org/assignments/protocol-
numbers/protocol-numbers.xhtml, September 2020. numbers/protocol-numbers.xhtml, September 2020.
[IEEE802.3-2018] [IEEE802.3-2018]
Committee, I. S., "IEEE 802.3-2018 - IEEE Standard for Committee, I. S., "IEEE 802.3-2018 - IEEE Standard for
Ethernet", August 2018, Ethernet", August 2018,
<https://ieeexplore.ieee.org/document/8457469>. <https://ieeexplore.ieee.org/document/8457469>.
 End of changes. 21 change blocks. 
36 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/